Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: File permissions with custom PostgreSQL image #2404

Open
konsalex opened this issue Mar 20, 2024 · 5 comments · May be fixed by #2473
Open

[Bug]: File permissions with custom PostgreSQL image #2404

konsalex opened this issue Mar 20, 2024 · 5 comments · May be fixed by #2473
Labels
bug An issue with the library

Comments

@konsalex
Copy link

Testcontainers version

v0.29.1

Using the latest Testcontainers version?

Yes

Host OS

MacOS

Host arch

Arm

Go version

1.21.8

Docker version

Client:
 Cloud integration: v1.0.35+desktop.11
 Version:           25.0.3
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        4debf41
 Built:             Tue Feb  6 21:13:26 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.28.0 (139021)
 Engine:
  Version:          25.0.3
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       f417435
  Built:            Tue Feb  6 21:14:22 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Docker info

Client:
 Version:    25.0.3
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1-desktop.4
    Path:     /Users/a/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.6-desktop.1
    Path:     /Users/a/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.24
    Path:     /Users/a/.docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/a/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.22
    Path:     /Users/a/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /Users/a/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.0.1
    Path:     /Users/a/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/a/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.5.0
    Path:     /Users/a/.docker/cli-plugins/docker-scout

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 250
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.16-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 12
 Total Memory: 19.51GiB
 Name: docker-desktop
 ID: c8e87756-6c7a-42fc-b2c7-7740dc3ca665
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

What happened?

There is a miss match between running testcontainer and docker run when I mount files and cannot seem to figure out what is the reason.

Example testcontainer code:

postgresContainer, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
		ContainerRequest: testcontainers.ContainerRequest{
			Image: "postgresql-mock",
			Name:  "postgresql_mock",
			Env: map[string]string{
				"POSTGRES_USER":     "random",
				"POSTGRES_PASSWORD": "random",
				"POSTGRES_DB":       "random",
				"POSTGRES_HOST":     "postgresql",
			},
			Privileged:   true,  // tested with false also
			ExposedPorts: []string{"5432/tcp", "8080/tcp"},
			WaitingFor: wait.ForExec([]string{"pg_isready && curl --fail localhost:8080/api/tuner/health || exit 1"}),
			Files: []testcontainers.ContainerFile{
				{
					HostFilePath:      "../cert/server.crt",
					ContainerFilePath: "/var/lib/postgresql/server.crt",
					FileMode:          0o640,
				},
				{
					HostFilePath:      "../cert/server.key",
					ContainerFilePath: "/var/lib/postgresql/server.key",
					FileMode:          0o640,
				},
				{
					HostFilePath:      "../cert/root.crt",
					ContainerFilePath: "/var/lib/postgresql/root.crt",
					FileMode:          0o640,
				},
			}
		},
	})

I tested with various file modes also like 0o600, 0o444 0o440 but no luck.

The errors I get are either this:

FATAL:  could not load server certificate file "/var/lib/postgresql/server.crt": SSL error code 2147483661

or that:

File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root

The docker run command seems to work fine:

docker run -d -p 5432:5432 -p 8080:8080 --name postgresql-mock --memory="1250m" \
        -e POSTGRES_PASSWORD=random \
        -e POSTGRES_USER=random \
        -e POSTGRES_DB=random \
        -v "$(pwd)/../cert/server.crt:/var/lib/postgresql/server.crt:ro" \
        -v "$(pwd)/../cert/server.key:/var/lib/postgresql/server.key:ro" \
        -v "$(pwd)/../cert/root.crt:/var/lib/postgresql/root.crt:ro" \
        -v /var/run/docker.sock:/var/run/docker.sock \
        postgresql-mock

Relevant log output

FATAL:  could not load server certificate file "/var/lib/postgresql/server.crt": SSL error code 2147483661

Additional information

No response
@konsalex konsalex added the bug An issue with the library label Mar 20, 2024
@bearrito
Copy link
Contributor

Can you try this with 0400 permissions. I believe the error logs from PG are incorrect.

Here is a reference where the 0400 are used - https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/configuring_and_using_database_servers/proc_configuring-tls-encryption-on-a-postgresql-server_using-postgresql

@konsalex
Copy link
Author

I managed to solve this tbh @bearrito , but in a nasty way:

This is running in a custom entry point for postgresql.

chown 999:999 /var/lib/postgresql/server.crt
chown 999:999 /var/lib/postgresql/server.key
chown 999:999 /var/lib/postgresql/root.crt
chmod 600 /var/lib/postgresql/server.crt
chmod 600 /var/lib/postgresql/server.key
chmod 600 /var/lib/postgresql/root.crt

I tried also 0o400 and every possible code available, nothing worked.

@bearrito
Copy link
Contributor

bearrito commented Mar 22, 2024
edited

Is the image postgres-mock available?
I imagine what's happening is that root (0) has permission but the postgres user (in your case 999) isn't in the group that can read this.

https://www.postgresql.org/docs/16/ssl-tcp.html

On Unix systems, the permissions on server.key must disallow any access to world or group; achieve this by the command chmod 0600 server.key. Alternatively, the file can be owned by root and have group read access (that is, 0640 permissions). That setup is intended for installations where certificate and key files are managed by the operating system. The user under which the PostgreSQL server runs should then be made a member of the group that has access to those certificate and key file

It seems like what needs to happen is that ContainerFile should expose the uid/gid of the file being copied nominally matching the archive mode https://pkg.go.dev/github.com/docker/docker@v26.0.0+incompatible/api/types#CopyToContainerOptions

@konsalex
Copy link
Author

I think that is indeed the case. The image is not public, but the idea is the following:

This is the custom docker file

FROM postgres:16.1
....
# Override entrypoint to spin up the mock server as root user
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

ENTRYPOINT ["entrypoint.sh"]

And then the entry point:

#!/bin/bash

chown 999:999 /var/lib/postgresql/server.crt
chown 999:999 /var/lib/postgresql/server.key
chown 999:999 /var/lib/postgresql/root.crt
chmod 600 /var/lib/postgresql/server.crt
chmod 600 /var/lib/postgresql/server.key
chmod 600 /var/lib/postgresql/root.crt

# Postgres entrypoint
./usr/local/bin/docker-entrypoint.sh postgres -c ssl=on \
    -c ssl_cert_file=/var/lib/postgresql/server.crt \
    -c ssl_key_file=/var/lib/postgresql/server.key \
    -c ssl_ca_file=/var/lib/postgresql/root.crt &

# Mock server
/docker-entrypoint-initdb.d/server &

tail -f /dev/null

Just to re-iterate, this is not the official pg image workflow of course are we modified the entry point, but this is the scenario we were struggling with @bearrito hope this helps.

This was referenced Apr 8, 2024
Open
Open
@bearrito
Copy link
Contributor

bearrito commented Apr 8, 2024

@konsalex This will likely solve your issue after it goes through pr #2473

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An issue with the library
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat:SSL for postgres bearrito/testcontainers-go
2 participants
@bearrito @konsalex